alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Drive DDoS? Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:3; metadata:created_at 2013_06_21, updated_at 2020_11_17;)

Added 2020-11-17 18:19:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Drive DDoS? Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:3; metadata:created_at 2013_06_21, updated_at 2020_04_24;)

Added 2020-04-24 18:20:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Drive DDoS? Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

Added 2018-09-13 19:47:10 UTC


Added 2018-09-13 17:57:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Drive DDoS? Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

Added 2017-08-07 21:10:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Drive DDoS? Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:2;)

Added 2013-06-21 19:25:11 UTC


Topic revision: r1 - 2020-11-17 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats